b'                              UNIX SECURITY\n\n                             EXECUTIVE SUMMARY\nOur audit of security practices over Unix-based systems found that those practices were\nfor the most part reasonably effective. Some general issues (user training and password\nuse, written procedures) will be addressed as the Commission takes corrective action on\nits material weakness in ADP security. We are making several specific\nrecommendations, including updating network maps and periodically changing and\nvalidating root passwords.\nGenerally, the Office of Information Technology concurs with our findings and\nrecommendations (see its comments, attached). The Office of the Executive Director\nprovided informal comments. We have revised the report appropriately to reflect the\ncomments.\n\n\n\n                         SCOPE AND OBJECTIVES\nOur objective was to evaluate the Commission\xe2\x80\x99s security practices over its Unix-based\nsystems at the Data Center in Alexandria, Virginia. Among other procedures, we\ninterviewed system administrators and security staff, reviewed selected documentation,\nand tested a judgment sample of 5 out of approximately 80 Unix systems.\nWe reviewed the application of software patches, documentation of server and network\nconfiguration, scripted programming practices, physical access controls for servers,\ndevelopment of security plans, and performance of periodic risk assessments. Our\ntesting was limited by time constraints.\nThe audit was performed between February and April 1999, in accordance with\ngenerally accepted government auditing standards.\n\n\n\n                                        BACKGROUND\nThe Unix operating system is installed on approximately 80 servers throughout the\nCommission, performing security (firewall), database, and general application functions.\nUnix systems administration is performed at three locations within the Office of\nInformation Technology (OIT) 1 :\n\n\n\n1\n    Except for the EDGAR system, which is performed by the EDGAR contractor (TRW, Inc.).\n\n\n\nU N I X S E C U R I T Y ( AU D I T N O . 2 9 6 )                             SEPTEMBER 14, 1999\n\x0c                                                                            Page 2\n\n\n\n\xe2\x80\xa2    the Systems Software Branch supports test and production environments for internal\n     applications (except the Internet and Intranet),\n\xe2\x80\xa2    the Applications Development Team supports the Internet and Intranet; and\n\xe2\x80\xa2    the Security Group supports firewalls (security mechanisms controlling entry and exit\n     to the network).\nThe Commission has reported ADP security as a material weakness since 1989.\nFormation of the Security Group (during OIT\xe2\x80\x99s recent reorganization), is one major step\nin addressing this weakness.\nCurrently, the Security Group consists of four employees. Its mission statement\nindicates that the Group is responsible for Commission systems and network security;\nprepares and coordinates security policy and procedures; and conducts security audits.\nWhile the Group is the focal point for security, it is a Commission-wide responsibility.\nThe Group maintains a sophisticated near-time intrusion and logging capability for entry\nand exit to the network. It has held training sessions for system administrators;\nconducted security posture assessments; and communicated various security\ndeficiencies to system administrators. The Group has started to develop Security Plans\nfor its systems, as required by the Computer Security Act of 1987.\nIt obtained approval in December 1998 for an administrative regulation that establishes\nan Information Technology Security Program. In addition, it has drafted technical\nbulletins providing security guidelines and requirements.\n\n\n\n                                       AUDIT RESULTS\nCommission security practices over Unix-based systems for the most part are\nreasonably effective. Some needed improvements relate to the previously identified\nmaterial weakness in ADP security (e.g., security training, issuance of final security\nguidance), discussed in the Background section. We identified several improvements\nspecifically relating to Unix security practices, as discussed below.\n\n\nNETWORK MAPS\nNetwork maps or diagrams provide a logical and physical view of the Commission\xe2\x80\x99s data\nnetworks. They show network types, server and host addresses, connections to\nexternal networks and other devices (such as hubs, routers, gateways and management\ndevices), and the physical layout of buildings, devices and servers.\n\nOIT\xe2\x80\x99s Network Engineering Group acknowledged that the maps are out-of-date, and in\nsome respects do not accurately reflect the current network configuration. The Group\nindicated that resource constraints and other priorities kept them from updating the\ndiagrams.\n\nNetwork maps are an important control used for security evaluation, troubleshooting,\nnetwork design, and training new staff.\n\n\n\n\nU N I X S E C U R I T Y ( AU D I T N O . 2 9 6 )                  SEPTEMBER 14, 1999\n\x0c                                                                            Page 3\n\n\n\nRecommendation A\nOIT should maintain current network configuration data, so logical and physical views of\nthe Commission\xe2\x80\x99s networks can be readily developed when needed. As resources\npermit, it should update the Commission\xe2\x80\x99s network maps (including those supported by\ncontractors, e.g., EDGAR).\n\n\nROOT ACCESS CODES\n\nRoot access provides system administrators with unlimited authority over a computer\xe2\x80\x99s\noperating system. Because they provide superuser privileges, root access codes need\nto be secure, yet available when administrators are absent.\n\nOIT stores root access codes for its systems in sealed, labeled envelopes in a safe. We\nexamined these envelopes, and noted codes stored for systems no longer in use (i.e.,\nthe RS6000 system), and for two departed system administrators. One had left the\nCommission, and one had been reassigned within OIT; both had the combination to the\nsafe, which has not been changed.\n\nApparently, OIT has procedures for security and availability of access codes, but the\nprocedures are unwritten and not uniformly followed. Invalid root access codes can\ncause significant delays, particularly if one has to rebuild the operating system.\n\nRecommendation B\nOIT should periodically validate its stored root access codes, and change the safe\ncombination when system administrators depart. It should develop written procedures\nfor storage of codes.\n\n\nPASSWORDS\n\nBased on our tests of five Unix systems (including EDGAR), password files were for the\nmost part protected. Also, passwords were generally assigned to user accounts. We\nnotified OIT and the EDGAR contractor of a few exceptions requiring corrective action.\n\nSystems administrators informed us that root access passwords were not being\nperiodically changed in some cases, potentially compromising passwords and system\nsecurity over time. OIT management indicated that this issue will be covered in a\npassword management bulletin, currently in draft.\n\nRecommendation C\nOIT should notify system administrators that root passwords should be periodically\nchanged.\n\nRecommendation D\nOIT, in consultation with the Office of the Executive Director (OED), should finalize the\npassword management bulletin. The bulletin should require root access passwords to\n\n\n\nU N I X S E C U R I T Y ( AU D I T N O . 2 9 6 )                   SEPTEMBER 14, 1999\n\x0c                                                                           Page 4\n\n\n\nbe changed periodically (e.g., every six months), and whenever a system administrator\nleaves.\n\n\nPERFORMANCE PLANS\nWe reviewed the performance plans of four OIT system administrators. None of the\nplans included security as an element, even though administrators have significant\nsecurity responsibilities. System administration is also performed by staff outside OIT,\naccording to OIT.\n\nRecommendation E\nOIT should include security as an element (or as part of an element) in the performance\nplans of its system administrators.\n\nRecommendation F\nOIT, in consultation with OED and the Office of Administrative and Personnel\nManagement, should ask offices with system administrators to consider including\nsecurity as an element in their performance plans.\n\n\n\n\nU N I X S E C U R I T Y ( AU D I T N O . 2 9 6 )                  SEPTEMBER 14, 1999\n\x0c'